Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Suppress results containing field value with multi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search triggering for a certain failed threshold for a monitored value. Instead of making 7 alerts one per customer, I made one search and one alert creating a table of results. Hence I needed to use the "Trigger for each result" option in alerts.
Then I needed to suppress per customer when the trigger value exceeded threshold. My alert searches every minute for the last 15 minutes, and is supposed to throttle for 15 minutes on hit.
Googling and documentation suggest setting 'customer' field in the "Suppress results containing field value" text box in Splunk. This did not suppress when "For each result" was enabled, and I got an alert every minute.
So how to do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wanted behavior was achieved by using the $$ syntax to reference values extracted at search time.
| Suppress results containing field value: | customer = $result.customer$ |
Setting this in the alert I both got alert per row in my resulting table, and suppress on value (result.customer) per customer. So that each customer is alerted on only once per 15 minutes in my case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wanted behavior was achieved by using the $$ syntax to reference values extracted at search time.
| Suppress results containing field value: | customer = $result.customer$ |
Setting this in the alert I both got alert per row in my resulting table, and suppress on value (result.customer) per customer. So that each customer is alerted on only once per 15 minutes in my case.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
